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(54) Method and apparatus for recovering encryption session keys 

(57) A method and apparatus allows a session key 
for a encrypted message to be recovered even if tiie 
recipient loses or forgets his private key A session key 
encrypted u^ng the public key of a party other than the 
intended recipient of the message is transmitted to the 
third party such as a certificate authority, who uses an 
identifier to retrieve private information known to tiie 
intended rec^ient of the message. The third party can 
compare the private information with private information 
provided by the party claiming to be the intended recip- 
ient. If the private information retrieved matches or 
nearly matches the private information provided, the 
third party can decrypt the session key using the third 
party's private key and provide the session key to the 
intended recipient. The intend^ recipient can then use 
the session key to decrypt the message, without making 
availat^le the intended recipient's private key to any 
party other than the intended recipient, or storing the 
intended recipient's public key on the third party's sys- 
tem. Law enforcement agencies can Intercept the mes- 
sage and the session key encrypted with the tfiird 
party's public key and <^ provide to tfie third party a 
court order to retrieve the session key to decrypt the 
message without notifying the intertded recipient. 
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Description 

Field of the Invention 

The present invention is related to cryptography s 
and more specifically to the recovery of encryption ses- 
sion keys. 

Badoyound of the Invention 

10 

Messages, such as those transmitted between 
computers, may be encrypted to prevent unintended 
recipients from reading them. Messages may be 
encrypted using a symmetric encryption algorithm and 
a session Key, both described below. The message is is 
decrypted using a decryption algorithm and the session 
Key used to encrypt the message. When the same key 
Is used to encrypt and decrypt the message, the proc- 
ess is Known as symmetric encryption and decryption. 
The Data Encryption Standard (DES) is an example of 20 
such a symmetric encryption algorithm. DES is 
described in Schneier, Applied Cryptography, (2d. ed., 
John Wiley & Sons, 1996). 

The sender of the message transforms the mes- 
sage into a scrambled message known as cypher text 25 
by applying the message and the session key as inputs 
to the encryption algorithm. The sender then transmits 
the cypher text to the recipient and provides the session 
Key to the recipient using a separate or secure commu- 
nication way. The redpient transforms the cypher text so 
into the original message by applying the session key 
and the cypher text as inputs to the decryption algo- 
rithm, which reverses the scranr^ling performed by the 
encryption algorithm. 

Where a secure communication channel is not 3S 
available or it is not desirable to use a communication 
channel separate from the communication channel 
used to send the cypher text asymmetric encryption 
may be used lor sending the session key Asymmetric 
encryption uses a separate process to encrypt the ses- 40 
sion key, so that it may be transmitted over any commu- 
nication channel, such as the Internet. 

With asymmetric encryption, a pair of keys is used 
to asymmetrically enaypt and decrypt a message. The 
pair of keys includes a public key and a private key The 45 
public key may be made available to others and can be 
used to encrypt the session key using an asymmetric 
encryption algorithm. Unlike the session key of symmet- 
ric encryptbn, the public key cannot be used to decrypt 
that which has been encrypted with it. Instead, a math- so 
ematically-related private key is required to decrypt the 
cypher text encrypted with the corresporxfing public key 
This technique allows the recipient to provide his or her 
public key to others for sending messages to him or her 
. without providing them access to other messages ss 
encrypted using the public key. 

Becai^e asymmetric encryption and decryption 
can take longer to perform ^an symmetric encryption 



and decryption, a combination of bo^ techniques are 
used to encrypt and decrypt a message. To pre/ent ^e 
sender from using a session key that is easily decqsher- 
able, such as the first name of the recipient, a session 
key generator may be used to generate a random ses- 
sion key of sufficient length. The message is encrypted 
using the relatively rapid symmetric encryption. The 
session key is encrypted using asymmetric encryption 
using tiie recipient's public key 

The encrypted session key arKJ the cypher text are 
transmitted to the recipient. The redpient uses his pri- 
vate key to decrypt the enaypted session key, and tiien 
uses the session key to decrypt the message. Becaise 
the message is typically longer than the session key, the 
relatively more time consunrting asymmetric encryption 
and decryption are performed only on the session key 
with relatively rapid symmetric encryption performed on 
the message. 

The pair of i^lic and private keys are generated by 
a cryptographic module, and provided to an individual, 
who shares the public key with otiiers he expects will 
send him or her cypher text, while maintaining tiie 
secrecy of his or her private key Because tiie genera- 
tion of a private key using the public key is extremely dif- 
ficult and time consuming, the redpient can even post 
his or her public key for the word to see. 

In order to bind the public key and the identity of the 
owner, refen-ed to herein as the "prindpal". a trusted 
party called a certificate authority ("CA') issues a certif- 
icate. The certificate provides evidence to third parties 
that a person owns tiie piislic key. so that no other party 
can daim ownership of the put)lic key In this manner, 
the putslic key is said to be "bourxJ" to the owner. 

The certificate authority can issue a certificate to 
any principal tiiat wishes to bind his or her identity to tiie 
public key In addition to the prindpal's puttiic key, tiie 
certificate can include a certificate serial number; tiie 
prindpal's name; an organization name, which is often 
tiie princqsal's employer's name; an organizational unit 
name, often the division of the employer for whom tiie 
prindpal works: the locality state and country of tiie 
employer or the residence, of the principal; and a pair of 
dates between which the certificate is valid. In addition, 
the certificate can indude tiie public key the name or 
identifier of the certificate autiiority issuing tiie certifi- 
cate: and an electronic signature that may be used to 
verify the authenticity and integrity of tiie certificate. 
When tiie keys are originally issued, the certificate 
autiiarty issues the private key and the certificate. 

To ensure security of the private key, only tiie owner 
of tiie private key has access to it. In tiie event that ttie 
redpient loses or forgets his private key. it is virtually 
impossible to decrypt messages encrypted using the 
redpient* 6 public key Some certificate authorities keep 
a copy of each private key in a vault or otiier form of key 
escrow. However, a breach of security would allow an 
intiotder to steal the private key and decrypt any mes- 
sage sent to the recipient. 
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Therefore, there is a need for a metfwd and system 
to aOow individuaJ messages to be deaypted only by 
the intended recipient of the message in the event that 
the intended recipient loses or forgets his private key 
without providing access to every message in the event 
of a breach of security, and with a minimum of disruption 
to the existing encryption procedures already in place. 

In addition, the United States government presently 
has a policy of allowing more secure encryption and 
decryption software to be exported if a key recovery is 
provided to allow law enforcement agencies to decrypt 
specified messages encrypted. Therefore, there is a 
need for a method and system to allow such decryption 
of such specified messages without compromising the 
security of the other messages. 

Summarv of Invention 

The present invention provides an apparatus an6 a 
method for encrypting a message according to dairr^ 1 
and 5, respectively; an apparatus arxJ a me^od for 
decrypting a method according to claims 11 and U, 
respectively; and an apparatus and a method for provid- 
ing a session key according to claims 19 and 23, 
respectively. The present invention further encom- 
passes computer program products the contents of 
which con-espond to the claimed methods and appara- 
tus for performing said methods and executing said 
apparatus. 

In addition to the asymmetric encryption of the ses- 
sion key. a method and apparatus encrypts the session 
key and the intended recipient's put^lic key or other iden- 
tifier using the recipient's certificate authority's public 
key to create an encrypted key recovery field. The cer- 
tificate authority stores the intended recipient's public 
key or other identifier and private information atwut the 
recipient such as the recipient's nnother's maiden name 
and social security number in a database indexed using 
the public key should the recipient forget his private key 
or the password used to obtain it, he can send the 
encrypted key recovery field to the certificate authority, 
who can use its private key to decrypt the session key 
and the recipient's public key or other identifier. The 
public key is used to locate the private information about 
the recipient which ^e certificate authority can use to 
verify the identify of the requesting person who sent the 
encrypted key recovery field to the certificate authority. 
If the identity ^ sufficiently verified, the certificate 
authority can provide to the requesting person the ses- 
sion key it deaypts using its private key, which the 
requesting person can use to decrypt the message. 

Because the information stored in the database 
may be provided by the principal to the certificate 
authority with the other information the principal pro- 
vides for the certificate, the information ^ored in the 
datatDase may be easily obtained. Because the key 
recovery field is added to the message, inptementation 
does rKrt interfere with existing encryption procedures. 



Because the certificate authority provides the session 
key for a single message, and only for those messages 
whkdi it receives a key recovery field, breaches of secu- 
rity will not allow an Mr\j6er to deaypt other messages. 
s Law enforcement agencies with a court order can 
require the certificate authority to decrypt the key recov- 
ery field, allowing more secure technology to be 
exported without conrpromising the security of the mes- 
sages. 

10 

Brief Description of the Drawings 

Rgure 1 is a block schematic dagram of a conven- 
tional computer system. 
IS Rgure 2 is a tMock schematk; diagram of three com- 
puter systems coupled using two comnruinications 
links according to one embodiment of the present 
invention. 

Rgure 3 is a block schematic diagram of a sender 
20 system according to one embodiment of the 
pr^ertt Inverttion. 

Rgure 4 is a block schematic diagram of a sender 
system according to one emtKxjiment of the 
present invention. 
25 Rgure 5 is a block schematic diagram of a redpient 
system according to one embodiment of the 
present invention. 

Rgure 6 is a flowchart illustrating a method of 
encrypting a message according to one embodi* 
30 ment of the present invention. 

Rgure 7 is a flowchart migrating a method of 
decrypting a message according to one embodi- 
ment of the present invention. 
Rgure 8 is a flowchart illustrating a method of pro- 
35 viding a session key according to one embodiment 
of the present invention. 

Detailed Description of a Prefen-ed Embodiment 

40 A taisted party such as a certificate authority 
requests from the principal and stores in a database 
certain information which may be used to identify the 
principal of the con-esponding public key. Such informa- 
tion may include the principal's mother's maiden name, 

45 the principal's mother's date of birth, and the princ^al's 
social security number. The database is indexed using 
the principal's public key. allowing the principal's public 
key to be used to retrieve the answers. 

When a sender wishes to send a message to a 

50 recipient, the following encryption procedure is used to 
encrypt and transmit the message. A session key is 
generated, for example by a conventional cryptographic 
module or other device capable of generating a session 
key and the message is encrypted using this session 

55 key. The session key is encrypted using the recipient's 
pi^lic key. The sender also generates a key recovery 
field. The key recovery field includes the session key 
and can include recipient's public key. both encrypted 
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using the puWic key of a trusted party such as the certif- 
icate authority that issued the certificate of the redpi- 
enfs putMtc key. The sender can send the encrypted 
message, enaypted session key and encrypted key 
recovery field to the recipient. The recipient can decrypt 
the encrypted session key using his or her private key. 
then decrypt the encrypted message using the 
decrypted session key. 

If the recipient forgets his or her private key or for- 
gets the password used to retrieve it, the recipient can 
fon^rard the key recovery field to the certificate authority, 
who deaypts the key recovery field to obtain the ses- 
sion key and the recipient's public key Using the public 
key as an index to the database, the certificate authority 
can obtain the previously stored information. The certif- 
icate authority requests the same information from the 
recipient of the message, and verifies the identity of the 
recipient by comparing the stored information with the 
infomiation provide by the recpent. K both sets of 
infomiation match, ttie certificate authority can provide 
the session key to the recipient, who may use it to 
decrypt the message. 

In one embodiment, the present invention is imple- 
mented as computer software running on conventional 
computer systems, with one or more systems acting as 
one or more servers and one or more systen^ acting as 
one or more clients, although other implementations 
may be used. 

Referring now to Figure 1 , a conventional computer 
system 150 for practicing the present invention is 
shown. Processor 160 retrieves and executes software 
instructions stored in storage 162 such as memory 
which may be Random Access Menrory (RAM) and may 
control other components to perform the present inven- 
tion. Storage 1 62 may be used to store program instruc- 
tions or data or both. Storage 1 64, such as a computer 
disk drive or other nonvolatile storage, may provide stor- 
age of data or program instructions. In one embodi- 
ment, storage 164 provides longer term storage of 
instructions and data, with storage 162 providing stor- 
age br data or instructions that may only be required for 
a shorter time than that of storage 1 64. Input device 1 66 
such as a computer keyboard or mouse or both allows 
user input to the system 1 50. Output 1 68, such as a dis- 
play or printer, allows the system to provide infornnation 
such as instructions, data or other information to the 
user of the system 150. Staage input device 170 such 
as a conventional floppy disk drive or CD-ROM drive 
accepts via input 172 computer program product 174 
such as a conventional floppy disk or CD-ROM that may 
be used to transport computer instructions or data to the 
system 150. Computer program product 174 has 
encoded thereon computer readable program code 
devices 176. such as magnetic charges in the case of a 
floppy disk or optical encodings in the case of a CD- 
ROM which are encoded to configure the computer sys- 
tem 1 50 to operate as desaibed below. 

In one embodiment, three computer systen^ 150 



rray be used to implement the present invention. Refer- 
ring now to Fi^re 2, tinree computer systems 210, 212, 
214 coupled with two renv^te communications links 220, 
222 according to one emtxxjiment of the present inven- 

5 tion are shown. The computer systems 210, 212, 214 
are systerr^ 150 of Figure 1 with software performing 
the functions desabed herein. One system 210 is a 
sender system that operates to perform encryption and 
transmission functions described below to transmit 

w encrypted messages to recipient system 212 via con- 
ventional communications link such as a pair of 
modems and a telephone line or the Internet. The sec- 
ond system 212 Is a redpient system which receives 
and stores messages, enaypted session keys and 

75 encrypted key recovery fields received from the sender 
system 210 can forward the encrypted key recovery 
field to certificate authority system 214 via communica- 
tions link 222 similar to communications link 220. can 
decrypt the session key when tiie proper private key is 

20 entered, and can decrypt messages once the session 
key is decrypted as described below. The third system 
214 is a certificate authority system whfeh can accept 
and decrypt an encrypted key recovery field received 
from the recipient system 212, provide the session key 

25 fron the encrypted key recovery field and (^n be used 
to verify the identity of the party requesting the deayp- 
tion of the key recovery field. 

Refening now to Figures 1 and 2. in one embodi- 
ment, each system 150 for the computers 210, 212 and 

30 214 is a conventional Sun Microsysten^ Ultra Sparc 
Creator computer running the Solaris 2.5.1 operating 
system commercially available from Sun Miaosystems 
of Mountain View. California, although other systems 
may be used. 

35 Referring now to Figure 3, the sender system 21 0 
of Rgure 2 according to one embodiment of the present 
invention is shown. A message is received for encryp- 
tion to cypher text at input 306 and stored unencrypted 
in message storage 310. Conventional session key gen- 

40 erator 312 generates a session key as a string of ran- 
dom alphanumeric characters or optionally receives a 
session key at input 304. Key generation is described in 
Schneier, Applied Cryptography, (2d. ed., John Wiley & 
Sons, 1996}. The session key generated or received 

45 and stored in session key generator 312 and message 
text stored in message storage 310 is provided to con- 
ventional cypher text encryptor ^0 which encrypts the 
message using conventional symmetric encryption 
techniques and u^ng tiie sessbn key and stores tiie 

50 cypher text. Conventional encryption techniques are 
described in Schneier, Applied Cryptography, (2d. ed., 
John Wiley & Sons, 1 996). 

In one embodiment, the message received by 
cypher text encryptor 320 contains a field having a 

55 known value for use as described below. In another 
embodiment, the cypher text encryptor 320 ir^erts the 
field with the known value into the message prior to 
encryption. The field is used as desaibed below. 
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lusted list accepts at input 308 and stores one or 
more public keys of persons or entities with whom the 
sender of the message stored in message storage 310 
intends to communicate. These persons or entities to 
whom a message is directed are referred to as the 5 
"intended recipients". Using input 308. the sender indi- 
cates which of the keys from the trusted list 314 to use. 
and trusted list 314 passes the public key to conven- 
tional session key encryptor 322 which receives the 
session key from session key generator 312 and 10 
encrypts the session key using the recipient's public key 
specified using a conventional asymmetric encryption 
algorithm. Trusted list 314 also provides the public key 
to encrypted KRF generator 324. which receives the 
session key from session key generator 312 and rs 
appends the recipient's public key it receives to the ses- 
sion key 

In one embodiment, irputs 308 and 318 are cou- 
pled to the message storage 31 0 to allow designation of 
the intended reclpiertt via one or more fields in the mes- 20 
sage. CA public key storage 316 contains the public 
keys of one or more certificate authorities that issued 
the pulJlic keys of the recipients stored in the trusted list 
314. The certificate authority's public keys are entered 
using input 318 and the public key of the certificate 25 
authority corresponding to the recipient is designated by 
the user using input 318. In one embodiment. CA public 
key storage is a part of the trusted list, which contains 
for each potential recipient, their name, their public key 
and tiie public key of the certificate authority that issued so 
their public key. This data is related along with the user 
name or other identifier of the intended recipient so that 
the user only needs to designate the name of the 
intended recipients in a message header: each 
intended recipient's public key and the corresponding 3$ 
public key of the certificate authority are automatically 
provided by trusted list 314 and or including CA public 
key storage 31 6 using a look up based on the message 
header received from message storage 310. 

Encrypted KRF generator 324 encrypts using con- 40 
ventional asymmetric enayption techniques the KRF it 
builds using the public key of the recipient's certificate 
author'rty it receives from CA public key storage 316. 
The unencrypted header of the message, cypher text of 
the message, encrypted KRF and en^ypted session 45 
key are provided to transmitter 330 by message storage 
310, cypher text encryptor 320. enaypted KRF genera- 
tor 324 ard session key enayptor 322. respectively, 
which transmits via output 332 the cypher text, 
encrypted session key and the encrypted KRF to the so 
intended recipient based on the message header. 

If there are additional intended recipients, the appa- 
ratus r^eats the procedure above for each intended 
recipient identified using the irputs 308. 318 or the mes- 
sage header of the message stored in message storage ss 
310. 

Referring now to Figure 4. the recipient system 21 2 
of Rgure 2 according to one enr^>od!merrt of the present 



invention is shown. The encrypted message, session 
key and key recovery field described above are received 
at input 408 ard stored in encrypted session key stor- 
age 410, enaypted message storage 412 and 
encrypted key recovery field storage 414. Message 
decryptor 422 uses the display 424 to prompt the user 
of the system for his or her private key or for a password 
corresponding to his or her private key. The user types 
a key into keyboard 426 and enaypted session key 
decryptor 422 receives from encrypted session key 
storage 410 the encrypted session key and the key 
typed by the user and uses conventional asymmetric 
decryption techniques to produce a deaypted session 
key The decrypted session key is provided by 
encrypted session key decryptor 420 to message 
decryptor 422. Message decryptor receives from 
encrypted message storage 412 the enaypted mes- 
sage and applies conventional symmetric deayption 
techniques to deaypt the message and provide it to the 
display 424 for display to the user. Deayption tech- 
niques are desaibed in Schneier, Applied 
Cryptography, (2d. ed., John Wiley & Sons, 1996) 

In one embodiment, if the user can recognize that 
the message has been properly decrypted, no further 
action is necessary If the user believes the message is 
not properiy deaypted because the key typed into the 
keytx>ard 426 was not the private key. or password cor- 
responding to the private key, that can be used to 
decrypt the encrypted message, the user can use the 
keytward 426 to direct tiie enaypted key recovery field 
storage 414 to provide the encrypted key recovery field 
to enaypted key recovery field fonwarder 416. and 
direct enaypted key recovery field fon/varder 416 to for- 
ward via output 418 the enaypted key recovery field to 
his or her certificate authority or other party that has the 
private key corresponding to the public key used to 
encrypt the enaypted key recovery field received at 
input 408. 

In another embodiment, the detection of whether 
the deayption of the message by message deayptor 
422 successfully deciphered the message is automated 
using a field with a known value in the message inserted 
prior to encryption as described above, and if that value 
is not detected by message decryptor 422. it signals 
encrypted key recovery storage 414 to pass the 
encrypted key recovery field to encrypted key recovery 
fonwarder 416 fa forwarding to another party as 
described herein. When the session key is received 
from such party, the user can type it into the keyboard 
426 to provide it to message decryptor 422, which 
retrieves the encrypted message from encrypted mes- 
sage storage 412 and uses the session key to deaypt 
the message using conventional symmetric deayption 
techniques. The message is available to the user for dis* 
play via display 424 or for storage in the message 
decryptor 422 or elsewhere via output 428. 

Refemng now to Rgure 5. one embodiment of the 
certificate authority system 214 of Figure 2 is shown. 
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Parties who have made prior arrangements to 
recover the key recovery fields provide private informa- 
tion that can be used to verify the identity of the party at 
a later time Private information for each such party 
received such as sodal security number, mother's 5 
maid^ name and/or other information that is relatively 
unknown except to the party from whom the key recov- 
ery field was received is entered via input 525 and main- 
tained in a conventional database 530 via a 
conventional server 524 such as the Oracle 7 product 
commerdaily available from Oracle corporation of Red- 
wood Shores. California. The private information is 
indexed using the unique identifier such as the redpi- 
enfs public key. that will be sent with or as a part of the 
key recovery field. 

When a party that has made the arrangements to 
store the private information as desaibed above loses 
or forgets its private key. it sends the key recovery field 
to the system 214 via a communication line or link KRF 
storage 51 0 stores in memory or disk the enaypted key 
recovery field received at input 516 coupled to a redpi- 
ent system 212 of Figure 2. The private key that can be 
used to decrypt the key recovery field stored in KRF 
storage 510 is stored in private key storage 512 made of 
memory or disk, having been input via input 518. KRF 
decryptor 514 recaves the key recovery field from KRF 
storage 510 and the recipient's certificate authority's pri- 
vate key from private key storage 51 2 and uses conven- 
tional asymmetric decryption techniques to decrypt the 
key recovery field. 

In one embodiment the key recovery field contains 
a session key and an identifier. The identifier can be the 
public key of the party from whom the key recovery field 
was received or any other unique identifier that can 
identify the party from whom the key recovery field was 
received. The decrypted identifier is stored in decrypted 
Identifier storage 522 made from a storage device such 
as memory or disK and the decrypted session key is 
stored in decrypted session key storage 520 made from 
a storage device such as memory or disk 

The server 524 receives the decrypted identifier 
and uses it as an index to retrieve the private informa- 
tion corresponding to the identifier that is stored in the 
database 530. The private information is passed to 
stored private data storage 532 which is made from a 
storage device sudi as memory or disk Referring 
momentarily to Figure 2. the party from whom the key 
recovery field was received sends via a secure or sepa- 
rate communication line such as conventional tele- 
phones 226, 228 and conventional telephone line 224 a 
copy of the private data. 

Referring again to Figure 5. in one embodiment the 
copy of the private data is stored in received private 
data storage 534 whidi is made from a storage device 
such as memory or disk. This private data is compared 
vtdth the data retrieved from the database and stored in 
stored pri>^e data storage 532 using compare 536. and 
if the data in stored private data storage 532 matdies 



the data in received private storage 534. conpare 
536 dgnafs session key transmitter 526 to retrieve the 
sessksn key stored in decrypted sessbn key sto'age 
520 and transn\it it to the party from whom the key 
recovery field was received using a secure e-mail sys- 
tem having and an e-mail address that was retrieved 
from the database 530 into ^ored private data storage 
532. 

In another embodiment, a human operator replaces 
the compare 536 and received private data storage 534. 
The operator views on a dsplay screen 540 the data in 
stored private data storage 532. and prompts the party 
from whom the key recovery field was received to redte 
the data by aslQng for their social security number. 
mother*& maiden name or other private data, and if the 
responses approximately n^tch those stored in the 
stored private data storage 532. uses input 527 to direct 
the session key transmitter 527 to retrieve the session 
key stored in decrypted session key storage 520 and 
transmit it to the party from whom the key recovery field 
was received using an e-mail address that was retrieved 
from the database 530 into stored private data storage 
532 or other location as described by the party provid- 
ing the private information. The certificate authority or 
other trusted person receiving the key recovery field 
solely for purposes of decrypting it and providing the 
session key to another party is not an "intended redpi- 
ent" as used herein. 

Refening now to Rgure 6, a method of encrypting a 
message and a session key according to one embodi- 
ment of the present invention is shown. The message, 
which can contain a header describing its intended 
redpients arxj containing other information, is received 
610. A session key is received 612, either by receiving it 
from an external source or generating it using conven- 
tional key generation methods as descried above. The 
message is encrypted 614 using conventional symmet- 
ric decryption techniques and the session key from step 
612. The redpient public key is received either from an 
external source or using a lookup based on one of the 
redpients in the message header as described above. 
The session key is encrypted 618 using conventional 
asymmetric encryption methods arxl the public key of 
the redpient as desaibed at)ove. 

A key recovery field is aeated 620, which contains 
the unencrypted session key from step 61 2 and an iden- 
tifier of one of the intended redpients, such as the public 
key received in step 616. The public key of the certifi- 
cate autfiority corresponding to the key of step 616 is 
received 622, either from an external source or using a 
lookup based on the Intended recipient as described 
above. The key recovery fiekf is encrypted 624 using 
conventional asymmetric encryption tediniques and the 
public key received in step 622. 

The encrypted message of step 614, encrypted 
sessbn key of step 618 and encrypted key recovery 
field of st^ 624 are transn^tted to the intended redpi- 
ent whose public key was received in step 616. H the 
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message is intended for additicmal recipients 628, the 
method repeats at step 61 2 using a different recipient in 
step 616, session key in step 612. and t1 necessary, a 
different public key 622 until the transmission step 626 
has occurred for all recipients for whom a public key is 
available. It another message is available, it is received 
at step 610 and the method repeats. 

Referring now to Rgure 7. a method of decrypting 
messages according to one embodiment of the present 
invention is shown. The message, session key and key 
recovery field, each encrypted as described herein are 
received 710. The user is prompted for his private key 
and if a private key is entered in response to the prompt 
712, the key Is received 714. The key received in step 
714 is used with conventional asymmetric decryption 
techniques to decrypt 716 the session key received in 
step 710, and the deaypted session key decrypted in 
step 716 is used to decrypt 718 ^e message. 

If the message is property decrypted 720, the 
method stops. Proper decryption can be detected man- 
ually by the user reviewing the message, or automati- 
cally, for example by comparing a field thai has a known 
value when properly deaypted with the known value. 

If the message is not properly deaypted or the pri- 
vate key is dan^ged, not available or the password cor- 
resporxiing to the private key is forgotten, the key 
recovery field is forwarded to the certificate authority 
along with private information such as mother's maiden 
name, social security number or other information likely 
to be known only to the owner of the private key 722. 
The certificate authority deaypts the key recovery field 
as described below, and returns the session key, which 
is received 724 and used wHh conventional symmetric 
decryption techniques to decrypt the message 726. 

Referring now to Figure 8, a method of providing a 
session key according to one embodiment of the 
present invention is shown. The key recovery field is 
received 810 and a private key is received 812. In one 
embodiment, the private key is received by retrieving it 
from storage, and in another embodiment, the key is 
provided at an input device such as a keytx)ard. The key 
recovery field received in step 810 is deaypted using 
the private key received in st^ 812. 

Private data stored prior to the receipt of the key 
recovery field in step 81 0 is retrieved 81 6 using an iden- 
tifier received as an index to a database or other file of 
stored private data. The private data can be stored in 
the database at the time the certificate authority issues 
a con-esponding certificate. In one embodiment, the 
identifier is received as a part of the key recovery field 
received in step 810. In another embodiment, tiie iden- 
tifier is received s^ratety from the key recovery field. 
In one embodiment, the identifier is the public key of the 
party from whom the key recovery field is received in 
step 810. The identifier can be any identifier that 
uniquely identifies the party from whom the key recov- 
ery fiekt is recced in step 810. 

Private data is received 818 from the party from 



whom the key recovery field is received in step 810. in 
response to prompts via the telephone in one embodi- 
ment or a secure communication line in anotiier 
embocfiment, and some or all of the data received in 

5 step 818 is compared 820 tiie corresponding pri- 
vate data retrieved in step 81 6. If a match or near match 
results from tiie comparison 822, the session key 
decrypted as a part of the key recovery field in step 81 4 
is provided, in one enri)odiment to the party from whom 

w the key recovery field is received in step 81 0. 

The message and key recovery field can also be 
intercepted by law enforcement autiiorities. who can 
provide a court order requiring the certif cate authority 
or other party having the private key that can deaypt 

)5 the key recovery field to decrypt the key recovery field, 
allowing decryption of tiie message witiiout notifying tiie 
intended recipient. 

Claims 

20 

1. An apparatus for encrypting at least one message 
having at least one intended recipient, and encrypt- 
ing at least one session key, the apparatus having 
an input and an output and comprising: 

25 

a cypher text enayptor having a first input cou- 
pled to the apparatijs input to receive tiie at 
least one message and having a second input 
coupled to receive the at least one session key, 

30 the cypher text encryptor for encrypting tiie 

message responsive to the session key to ae- 
ate cypher text provided at an output coupled 
to tiie apparatus output; and 
an encrypted KRF generator having a first input 

35 coupled to receive tiie session key, a second 

input coupled to receive a public key of a party 
not an intended recipient the encrypted KRF 
generator for producing a key recovery field 
comprising the session key and at least one 

40 identifier oi at least one of tiie intended recipi- 

ents of the message, for encrypting the key 
recovery field responsive to tiie public key 
received at the second enaypted KRF genera- 
tor input to produce an enaypted key recovery 

45 field provided at an output coupled to tiie appa- 

ratus output. 

2. The apparatus of claim 1 wherein the encrypted 
KRF generator additionally has a tiiird input cou- 

50 pled to receive tiie at least one identifier 

3. The apparatus of daim 1 or 2 additionally compris- 
ing a session key encryptor having a first input for 
receiving the session key and a second input for 

55 receiving a public key of at least one of the intended 
recipients of tiie message, the session key enayp- 
tor for encrypting tiie public key to produce an 
encrypted public key provkled at an output ccnjpled 
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to the apparatus output. 

4. The apparatus of claim 1 , 2 a 3 wherein the at least 
one identifier received at the second encrypted 
KRF generator input comprises at least one public s 
key of at least one of the intended recipients of the 
nrtessage. 

5. A method o1 encrypting a message having at least 
one intended recipient and encrypting a session io 
key. comprising: 

receiving a ^ssion key; 
encrypting the message responsive to the ses- 
sion key; is 
receiving a first public key different from public 
keys of the intended recipients of the massage; 
and 

enaypting the session key responsive to the 
first pUsiic key. 20 

6. The method of claim 5 additionally comprising the 
steps of: 

receiving a public key of at least one intended ss 
recipient; and 

enaypting the session key responsive to the 
public key of at least one of the at least one 
intended recipients. 

30 

7. The metiiod of daim 6 wherein the public key differ- 
ent from public keys of the intended recipients of 
the message comprise a public key of a certificate 
authority. 

35 

8. The metiiod of daim 7 wherein the certificate 
authority is a certificate authority that bound the 
pi^ic key of the at least one intended redpient to a 
name or identity of said intended redpient 

40 

9. The method of one of daims 5 to 8 comprising the 
additional step of providing the session key 
encrypted and the message encrypted. 

1 0. The method of one of daims 5 to 8 comprising the 45 
additional et^s of providing the two session keys 
encrypted and the message encrypted. 

11. An apparatus for decrypting messages encrypted 
using a first session key. comprising: so 

a message decryptor having at least one input 
coupled to receive the encrypted message and 
a second session key and for decrypting the 
enaypted message using the second session $5 
key responsive to the second session key com- 
prising the first session key; and 
an encrypted key recov^ field forv^der hav- 



ing at least one input coupled to receive an 
er^rypted key recovery fiefd. for forwarding 
said key recovery field via a communications 
line to an external device for decryption. 

12. The apparatus of daim 11 additionally comprt^ng 
an enaypted session key decryptor having at least 
one input coupled to receive the first session key 
and to receive a private key, the encrypted session 
key decryptor for decrypting and providing at an 
output a session key responsive to the private key. 

1 3. The apparatus of claim 12 wherein the second ses- 
sion key is selected from the encrypted session key 
decryptor output and an input. 

14. A method of decrypting an enaypted message 
using a private key, comprising: 

receiving the encrypted message and at least 

one encrypted session key and at least one 

encrypted key recovery field; 

fonwarding via a communications line at least 

one of tine key recovery fields to an external 

device; 

receiving a first deaypted session key; and 
deaypting tiie message using tiie decrypted 
session key. 

15. The method of daim 14 comprising the additional 
step of providing private inforntation. 

16. The metiiod of daim 14 or 15 comprising the addi- 
tional steps of: 

receiving a private key; 

attempting to decrypt at least one of the 
encrypted session keys responsive to tiie pri- 
vate key received in order to produce a 
decrypted session key: and 
attempting to deaypt tiie message received 
using the deaypted session key. 

17. The method of daim 16 conprising the additional 
step of identifying a succes^l attempt to deaypt 
the message, and wherein the fonwarding step, 
receiving the first decrypted session key step, and 
decrypting the message step are each responsive 
to the identifying step. 

1 8. The method of claim 1 7 wherein tiie identifying step 
follows the attempting to decrypt the message step 
and comprises comparing a value of a field of tiie 
message with a known value. 

19. An apparatus for receiving a key recovery field 
comprising an encrypted session key and providing 
tiie session key. OOTprisir^: 
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a key recovery field decrypted having at least 
one input coupled to receive at least a portion 
of the key recovery fieU including the session 
key and having at least one second input cou- 
pled to receive a private key, for decrypting the 
portion of the key recovery field received 
responsive to the private key to produce a ses- 
sion key and providing a! a first output the ses- 
sion key; 

a database server having at least one input 
coupled to receive an identifier conresponding 
to private data, for providing at an output stored 
pri\^te data conresponding to the identifier; and 
a session key transmitter having at least one 
first input coupled to the key recovery field 
decryptor output for trananitting the session 
key to an external remote device via a commu- 
nications line responsive to a second input hav- 
ing a first state and a second state in the first 
state. 



10 



IS 



20 



received, providing the session key decrypted. 

24. The method of claim 23 wherein the deaypting 
step is resporeive to tiie stored private data 
retrieved substantially identical to the private data 
received. 

25. The method of claim 23 or 24 wherein the identifier 
is a public key. 

26. The method of claim 23 or 24 wherein the identifier 
is unk^ue. 

27. The method of claim 23 or 24 wherein the identifier 
is encrypted, ard the retrieving step comprises: 

decrypting the identifier to produce a decrypted 
identifier; and 

retrieving stored private data using the 
decrypted Wentifier. 



20. The apparatus of claim 19 wherein tiie key recovery 
field additionally conprises an encrypted identifier 
and the portion of the key recovery f iekJ received by 
the key recovery field decryptor comprises the 
encrypted identifier and the key recovery field 
decryptor is additionally for decrypting tiie 
encrypted identifier to produce an identifier and for 
providing at a second output coupled to the sender 
input tiie identifier. 



30 



21 . The apparatus of daim 19 or 20 additionally com- 
prising a compare having a first input coupled to the 
server output to receive the private data and a sec- 
ond input coupled to receive a received private 
data, and having an output coipled to the session 
key transmitter second input having a first state 
responsive to tiie private data received at the first 
input substantially matching tiie received private 
data received at the second input. 



35 



40 



22, The apparatus of daim 21 wherein ttie compare 
output additionally has a second state responsive 
to tiie private data received at the first input not sub- 
stantially matching the received private data 45 
received at tiie second input. 

23. A method of providing a session key, comprising: 



receiving an encrypted ses^'on key, an identi- 
fier and private data; 
decrypting ttie encrypted session key; 
retrieving stored private data using tiie identi- 
fier; 

comparing tiie stored private data retrieved 
with the private data received; and 
responsive to tiie stored private data retieved 
substantially identical to tiie private data 
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